Confirm that the user has an active account in the LDAP directory server and that the account password is not expired.

In the Cloud Administration Console, confirm that the user exists.

Confirm that the user is using the correct username (email address), password (LDAP directory server), and Company ID. The Company ID must match the value configured in the Cloud Administration Console under Company Settings. For more information, see Configure Company Information and Certificates.

Enter the User ID and Company ID that you provided and the network password.

A user believes that device registration is complete. However, RSA SecurID Access instructs the user to install the RSA SecurID Authenticate app.

In the Cloud Administration Console , click Users > Management, navigate to the user's Devices page, and confirm that the device is listed. If the device does not appear, instruct the user to complete device registration again.

A user is concerned about the RSA SecurID Authenticate for Android app requesting multiple permissions during device registration.

An iOS or Android user sees the following error message in the RSA SecurID Authenticate app: Untrusted Connection.

If your company uses Secure Sockets Layer (SSL) interception, users will see this message during device registration.

Instruct users to complete device registration using a Wi-Fi network that does not use SSL interception, such as a cellular data or a home Wi-Fi network. They can use corporate Wi-Fi after device registration is complete.

If users see this message after device registration is complete, consult your company's IT team to resolve the issue.

A user is prompted to complete device registration, although the user has already completed device registration.

The user might see this message if you have deleted the user's device in the Cloud Administration Console . Instruct the user to complete device registration again.

A user with Android operating system 5.0 or below changes the method to unlock the lock screen (if any) that secures the device. For example:

PasswordA to PasswordB

PIN to NONE

NONE to Swipe

After doing so, the user is unexpectedly asked to complete device registration again.

Due to an Android operating system issue, the user must repeat device registration.

Review the RSA SecurID Authenticate for Android logs for this event.

A user completes device registration on one device and then gets a new device. The user needs to complete device registration on the new device.

A user receives the following error message when registering a device: Unsuccessful RSA SecurID Access Setup. You have another device registered with RSA SecurID Access. Contact your administrator.

The user either already has a registered device or performed a factory reset on an existing registered device and tried to re-register. An Android 8.0 (Android O) user who re-installs the Authenticate app on the same device also sees this message.

An Android user receives one of the following unsuccessful setup messages and cannot complete device registration or add another company:

This device or the software running on it is not supported.

An error occurred.

If the user receives the "error occurred" message, instruct the user to try again.

If the user receives the "not supported" message, the user might have a rooted or non-compliant device or a device that does not have Google Play Services. In these situations, the user cannot complete device registration or add a company.

Credentials used to sign in are associated with multiple user accounts.

An internal server error occurred.

The concurrent session limit has been reached.

A password reset is required.

Also, check that the user is included in the scope of the identity source that was added to RSA SecurID Access. Identity sources are configured in the Cloud Administration Console and enable users to access protected applications in the application portal.

A user expects to have access to an application but cannot see the application.

Sign into the Cloud Administration Console.

If the issue is limited to one user, see Access Policies for more information.

RSA SecurID Access does not display Eyeprint ID as an available authentication option to a user, even though the user is accessing an application that is assigned to an assurance level that includes Eyeprint ID.

Confirm that the user has enrolled in Eyeprint ID. Confirm that the user sees Enrolled next to Eyeprint ID in the My Account screen.

If the user does not see Enrolled, instruct the user to enroll in Eyeprint ID in the My Account screen. If the user cannot see Eyeprint ID on the My Account screen, the user has an unsupported device.

Authentication Methods

Issue

Resolution

Authentication is unsuccessful.

Investigate these areas:

Confirm that an internet connection is available.

Determine the authentication method that the user provided for authentication. Sign into the Cloud Administration Console, click Users > Event Monitor, and view the events associated with the user to see which authentication method or assurance level has been applied.

An iOS user with a Touch ID-capable device that is running iOS 8 or later cannot authenticate with fingerprint verification.

RSA SecurID Access supports fingerprint verification only on a Touch ID-capable device that is running iOS 8 or later or a Samsung or Android version 6.0 or later device with a fingerprint sensor. The user must also set up Touch ID or register a fingerprint.

If the RSA SecurID Authenticate is installed on a Touch ID-capable device that was recently upgraded from iOS 7 to iOS 8, the user must reinstall the RSA SecurID Authenticate and repeat device registration to authenticate with fingerprint verification.

A user cannot complete Eyeprint ID enrollment.

A user is enrolled in Eyeprint ID but cannot authenticate with Eyeprint Verification.

Instruct the user to move to a location with more light and look into the app screen window with both eyes.

Instruct the user to clean the camera lens.

If the user has enrolled in Eyeprint ID but still cannot authenticate, instruct the user to recreate the Eyeprint in the My Account screen. The user must provide the password entered during device registration. If the user uses the RSA SecurID Authenticate app with multiple companies, the user must provide the password of the first company in the app Companies list.

Review the RSA SecurID Authenticate logs for additional information.

A user with multiple companies in the RSA SecurID Authenticate app questions how Eyeprint ID works with these multiple companies.

The user needs to enroll in Eyeprint ID one time, and then the RSA SecurID Authenticate app uses the same Eyeprint for all companies in a user's RSA SecurID Authenticate app.

For security purposes, when enrolling in Eyeprint ID, recreating the Eyeprint, or unenrolling Eyeprint ID, the RSA SecurID Authenticate app prompts the user for the password of the first company in the Companies list in the app. For example, a user completes device registration for Company A. The user does not use Eyeprint Verification for Company A. The user adds Company B to the app. The user must use Eyeprint Verification for Company B, so the user enrolls in Eyeprint ID in the app. The RSA SecurID Authenticate app prompts the user to enter the password for Company A.

A user sees the following error message in the browser when trying to authenticate: Cannot Contact Your Mobile Device.

When RSA SecurID Access detects an unexpected error while trying to contact a user's mobile device, this error appears.

Instruct the user to try again in a few minutes, or to select a different authentication method. (If the application is assigned an assurance level that does not have optional methods, then authentication fails.)

A user wants a simple way to copy the RSA SecurID Authenticate Tokencode into a mobile browser.

On iOS, the user can tap the numbers in the tokencode and then tap Copy.

On Android, the user can long-press the numbers in the tokencode.

On Windows, the user can tap or click the area around the tokencode and then select Copy.

A user taps Approve in the RSA SecurID Authenticate app but is not authenticated to the application.

A user has one minute to tap Approve after the Approve screen appears in the app. It is likely that the user tapped Approve near the end of that timeout interval.

Review the RSA SecurID Authenticate logs for timeout events.

A user cancels the Contacting Your Mobile Device screen in the browser, sees the RSA SecurID Authenticate Tokencode screen in the browser, and a different authentication screen appears in the RSA SecurID Authenticate.

Instruct the user to cancel the authentication screen in the RSA SecurID Authenticate app, go to the home screen in the app, and enter the RSA SecurID AuthenticateTokencode in the browser screen.

Eyeprint data is stored locally on the device. Cloud Authentication Service does not store Eyeprint data.

A user can view the tokencode on the app home screen without providing additional authentication, although an administrator has enabled the setting to require additional authentication to view the tokencode.

Instruct the user to restart the RSA SecurID Authenticate app.

Restarting the app forces this setting to take effect.

A user cannot reset the PIN used to view the RSA SecurID Authenticate Tokencode.

Confirm that the user's device is online and the user enters the network password.

In certain situations, an iOS user must use fingerprint verification to reset the PIN. Instruct the user to add at least one fingerprint to use for Touch ID. Then instruct the user to tap View Tokencode on the home screen, and follow the instructions.

In certain situations, an iOS user must use the My Account screen to delete all companies that require additional authentication to view the RSA SecurID Authenticate Tokencode, then complete device registration again for those companies. Instruct the user to do this. Then instruct the user to tap View Tokencode on the home screen, and follow the instructions.

In the Cloud Administration Console, click Users > Management, navigate to the user's Devices page, and confirm that the device is listed and Active.

Confirm that the user has enabled the app to receive push notifications. On iOS, confirm that Alert Style is not set to None. If notifications are disabled, instruct the user to either enable notifications or open the app and pull down on the home screen to retrieve any push notifications.

Review the app logs for notification events.

An iOS user does not use Alert Notification Services (ANS) but needs to use the RSA SecurID Authenticate app.

An iOS user can disable both ANS and RSA SecurID Authenticate for iOS push notifications. For mobile authentication methods, the user must pull down on the app home screen to retrieve push notifications.

An Android user does not want the RSA SecurID Authenticate app to use push notifications.

A user forgets the device that has RSA SecurID Authenticate app installed on it, and wants to access an application protected by RSA SecurID Access.

If the application is assigned an assurance level that can be satisfied with a non-mobile authentication method such as SecurID Token or FIDO Token, and if the user possesses one of those tokens, then the user can complete authentication.

A user lost the device that has the RSA SecurID Authenticate app installed on it.

In the Cloud Administration Console , delete the user's device. Another user in possession of the lost device might be able to authenticate to a protected application if that user knows the device owner's LDAP directory password.

A user mistakenly uninstalled the RSA SecurID Authenticate app.

Instruct the user to install the app and complete device registration again. Provide the user with the correct email address and Company ID.

A user performed a factory reset on a device and the Authenticate app was deleted.

In the Cloud Administration Console , delete the user's device and instruct the user to install the app and complete device registration again.

An Android user is connected to the internet but continues to see the following error message: Check your internet connection.

This error appears when the user is signed into a secure Wi-Fi network but has not yet entered the password. Instruct the user to enter the network password and then continue.

Review RSA SecurID Authenticate for Android logs for this event.

A user is prompted to accept the EULA or enter a User ID and Company ID again after device registration.

This can occur for the following reasons:

You deleted the device from the Cloud Administration Console . As a result, the user must register the device again.

On Android, the user cleared data for the app. As a result, the user must register the device again.

The user uninstalled and reinstalled the app. As a result, the user must accept the EULA again.

Review the RSA SecurID Authenticate logs for this event.

More than one user wants to use the same device and same app.

RSA SecurID Access supports only one device per user. A user cannot sign out of the app so that another user can sign into the app.

On a Windows 10 desktop, multiple users can use the same machine as long as each user has a unique account and has completed Authenticate device registration on that account.

A user experiences an issue with the app and needs troubleshooting help.

Review the app logs. Ask the user to send you the logs using these instructions.

From the app More screen, tap or click Email Logs. If necessary, select the email app to use.

In the new e-mail message, enter your email address, and click Send.

You can also use the Cloud Administration Console Event Monitor to troubleshoot user issues. Click Users > Event Monitor.

A user expresses concern about the app requesting permission to collect usage data using Google Analytics.

The RSA SecurID Authenticate app requests user permission to collect anonymous usage data to improve the app. A user allows or denys this request during the initial opening of the app. A user can also change this setting in the following locations:

iOS: Authenticate app Settings screen

Android and Windows: Authenticate app More screen

The user's selection for this setting does not impact the functionality of the app.